STIX Block #2: Quick Wins

www.oasis-open.org

January 14, 2016

Session objective

See if we can quickly nail down some quick wins

VERY briefly describe apparent consensus on 10

issues/proposals

Confirm/Refute that consensus holds among F2F

attendees

VERY briefly identify any areas of non-consensus as

open questions

Post-F2F, post proposals to list (with 1 week

window) to achieve formal consensus or discuss

open questions

Ideally identify JSON Schema snippets from TWIGS

and add them to proposals

Make IDs required (RM#5) (Prop#2)

Quick summary of consensus

Both “strawmen” agree that the ID property

should be required on all constructs that support

it

Any objections to this consensus?

Remove Short_Description (prop#4)

Quick summary of consensus

Both “strawmen” agree with removing this field as

unnecessary

Any objections to this consensus?

External_IDs (prop#3)

Quick summary of consensus

Both “strawmen” agree that all IDable constructs

should support an “External_IDs” property that:

Lets you specify an ID (as a string) from some external

source/system

Provides an optional simple string “Definer”

subproperty to specify who/what the ID is from

Provides an optional simple URI “Reference”

subproperty to specify an URI to the actual ID’d

content within the external system/environment

Any objections to this consensus?

Flatten Package lists (prop#14)

Quick summary of consensus

Both “strawmen” agree that the current 2-layer

approach for component lists within Package

should be flattened to a single layer containing

0..* of each component.

Any objections to this consensus?

Remove abstract base types (prop#15)

Quick summary of consensus

Both “strawmen” agree that the current abstract

base types for the ”top-level” objects are

superfluous and should be removed and the

objects simply be defined on their own

Any objections to this consensus?

TTP refactor for clarity (RM#10) (prop#12)

Quick summary of consensus

Both “strawmen” agree that the current TTP

structure where Attack_Pattern, Malware, Exploit,

Infrastructure, Tools, Persona and

VictimTargeting are listed as properties should be

changed such that these are each subclasses of

a general TTP structure.

Any objections to this consensus?

ET refactor for clarity (prop#17)

Quick summary of consensus

Both “strawmen” agree that the current

ExploitTarget structure where Vulnerability,

Weakness and Configuration are listed as

properties should be changed such that these are

each subclasses of a general ExploitTarget

structure.

Any objections to this consensus?

Report refactor (prop#16)

Quick summary of consensus Both “strawmen” agree that due to the changes for no

embedding of content and relationships as separate

objects the Report object should be refactored to not

contain definitions of or references to content but rather,

acting as kind of a report cover sheet, all content relevant

to the report would be asserted as separate relationship

objects with a “Report Contains” nature

Any objections to this consensus?

Abstract Victim to separate construct

(prop#18)

Quick summary of consensus Both “strawmen” agree that a new Victim construct should

be created as an Identity class, that this new class should

be used for Victim characterization within Incidents, and

that a VictimTargeting class should be created that is a

subclass of both TTP and Victim with additional properties

for Targeted_Systems, Targeted_Information and

Targeted_Technical_Details.

Any objections to this consensus?

DataMarkings application (RM#2)

Quick summary of consensus

Both “strawmen” agree to the proposed and

discussed approach utilizing Marking_Definitions,

Marking_Refs (L1) and Structured_Markings (L2)

Any objections to this consensus?

Summary out

Consensus items

Non-consensus items